Service Organization Control (SOC) 1 reports are to be conducted in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. SSAE 16 is effectively replacing the SAS 70 auditing standard for reporting periods ending on or after June 15, 2011. Much like SAS 70, SSAE 16 provides two (2) reporting options; Type 1, a report on a service organization's system and the suitability of the design of controls", while an SSAE 16 Type 2 Report is officially a "Report on management's description of a service organization's system and the suitability of the design and operating effectiveness of controls". However, fast forward to 2017, and SSAE 16 has effectively been replaced by SSAE 18.
Hello to SSAE 18 and Goodbye to SSAE 16
The AICPA has issued numerous audit guides over the years for SSAE 16 (Applying SSAE No. 16, Reporting on Controls at a Service Organization) to help assist auditors and interested parties alike in better planning for the new changes brought about by the SSAE 16 standard. There's now a number of SSAE 18 audit guides also available from the AICPA.
SSAE 18 Type 1 and Type 2 reports under the SOC 1 reporting framework represent an effort by the AICPA to utilize this new attestation standard in the very manner for which the original SAS 70 standard was designed for, which is “reporting on controls” related to that of financial matters. As such, look for SOC 1 SSAE 18 Type 1 and SOC 1 SSAE 18 Type 2 reports to be furnished for service organizations that are undertaking activities and relevant procedures that have the potential to directly impact a client’s financials.
Note: It's fair to assume that the commonly accepted phrases for SOC 1 Reporting will simply be known as SSAE 18 Type 1 Reports and SSAE 18 Type 2 Reports.
Get Educated on SSAE 18!
Thus, you will need to familiarize yourself with all aspects of the SSAE 18 professional Standard, such as the following:
• Why a New Standard?
• Description of the Service Organization's "system".
• The Written Assertion by Management.